The Justice Committee has today reported back on the Privacy Bill. This Report has been greatly anticipated (coming almost a year after the Bill was first introduced and referred to the Select Committee for consideration) for two reasons:

To see the extent to which the Select Committee would adopt the Privacy Commissioner’s submissions on the Bill from last year; and

Whether the Select Committee would provide for greater alignment between New Zealand’s privacy framework and comparable jurisdictions such as Europe (GDPR), California, and Australia.

The Report does not go as far as the Law Commission or Privacy Commissioner initially wished it to go. However, with further changes to the information privacy principles, greater accountability for national and international agencies transferring personal information offshore, and some targeted naming and shaming, the Select Committee has bolstered individual rights. In a media statement released today, the Privacy Commissioner has indicated his support of the Report.

We highlight below four of the key amendments that the Select Committee has recommended be made to the Bill before it is passed:

Extraterritorial effect… but not at a GDPR level

Similar to European and Australian data protection legislation, the Report recommends that the Privacy Bill (when enacted) applies more broadly than to New Zealand agencies alone.

The Report recommends that the Bill applies to any actions taken by (i) a New Zealand agency (whether inside or outside New Zealand); and/or (ii) an overseas agency carrying on business in New Zealand, in respect of all personal information collected or held by that agency in the course of carrying on business in New Zealand, regardless of where the information was collected or held, and where the person to whom the information relates is located (whether they ordinarily reside in New Zealand or not).

An overseas agency may be treated as carrying on business in New Zealand for the purposes of its privacy obligations whether or not it has a physical presence in New Zealand, charges any monetary payment for goods or services, or makes a profit from its business in New Zealand.

Accordingly, the Bill will apply to an overseas agency that has collected personal information about an individual when it has been carrying out its business in New Zealand. The enforceability of this recommendation on overseas agencies…well, that is another question.

Accountability and a new IPP – Disclosure outside New Zealand

The Report retains the position set out in the current Privacy Act and the original Bill which specifies that agencies remain accountable for personal information, where that information is subsequently held by another agency for safe custody or processing.

This means that an agency who transfers personal information to a third party agent (such as a cloud storage provider) is still treated as holding that information and will remain liable for any privacy breaches by the cloud service provider. However, the Report has recommended a change to the original wording of the Bill to clarify that the personal information will be treated as being held by both agencies if the third party agent uses or discloses the personal information for its own purposes.

A new Information Privacy Principle – IPP12 – has been recommended to facilitate and protect disclosure of personal information outside of New Zealand. These disclosure requirements were already covered by IPP 11 in earlier versions of the Bill, but the Select Committee considered that, for the sake of clarity, the criteria for overseas disclosure ought to be covered in a separate IPP.

Higher threshold for mandatory breach reporting

The most common concern expressed in submissions has been addressed with the Select Committee clarifying the data breach reporting threshold under the proposed mandatory breach reporting regime.

The Select Committee recommends increasing the reporting threshold from “harm” to “serious harm” to help reduce the risk of over reporting, provide more certainty to agencies and better align the Bill with overseas jurisdictions. This threshold is accompanied by a “reasonable person” standard and a corresponding defence for failure to notify if you considered on reasonable grounds that the breach was not a “notifiable privacy breach”. Factors for agencies to consider when deciding whether a breach is a “notifiable privacy breach” include the sensitivity of the information and the nature of the harm that may be caused.

A notifiable privacy breach must be reported as soon as practicable after becoming aware of such breach. However, the Bill contemplates that notification should sometimes be delayed. For example, notification could reveal a security issue within the agency’s system which could be exploited, or where notification could do more harm to an individual. Importantly though, delay in notification is only permitted to individuals – the Office of the Privacy Commissioner must still be notified as soon as is practicable.

The Select Committee’s recommendations in this area will no doubt be a relief to New Zealand agencies operating across the Tasman, as these changes better harmonise our proposed mandatory breach regime with the Australian equivalent.

Publication of compliance notices

The Select Committee has recommended an additional compliance mechanism by requiring the Commissioner to publish details of compliance notices (including the identity of the agency), unless it would cause the agency undue harm that outweighs the public interest.

While the Select Committee has not increased monetary penalties under the Bill, this ‘naming and shaming’ approach is likely to be a big incentive for compliance, particularly as consumers become aware of their strengthened rights under the Bill.

Next steps

The Bill will now head back to the House for a Second Reading and debate.